TLS/SSL Tools and Settings

TLS/SSL Tools

The following tools are associated with TLS/SSL.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is a Microsoft Management Console (MMC) that is automatically installed when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).

You can access the tool from the Start menu: To do this, click Start, point to Programs,point to Administrative Tools, and then click Active Directory Users and Computers.

Version compatibility

Active Directory Users and Computers runs on domain controllers that run Windows Server 2003 or Windows 2000 operating systems. You can use MMC to administer and publish information in the directory.

The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000 Server.

On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 folder on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs Lightweight Directory Access Protocol (LDAP) traffic between the administrative tool client’s and domain controllers.

Note

You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

You can use Active Directory Users and Computers to manage the following properties that are listed in the following table, which are associated with objects in Active Directory. Any changes you make affect certificate mapping for these objects.

Active Directory Users and Computers Object Management

Property

Changes That Affect Schannel

Computer objects

Name Mapping Task

Can add, edit or remove certificates.

User objects

Name Mapping Task

Can add, edit or remove certificates.

Published Certificates Tab

Lists the X.509 certificates published for the user account. Can view, remove, and copy to file listed certificates. Can add new certificates from the local certificate store or from a DER Encoded Binary X509 (*.cer) or PKCS #7 (*.p7b) file.

You can find more information about Active Directory Users and Computers on the TechNet Web site.

Eventvwr.msc: Event Viewer

Category

Event Viewer is included in the Windows Server 2003, Windows XP, and Windows 2000 operating systems.

Version compatibility

The system log contains Secure Channel (Schannel) events that are related to authentication.

Schannel Events

Event ID

Severity

Description

36864

Informational

The Schannel security package has loaded successfully.

36865

Error

A fatal error occurred while opening the system cryptographic subsystem cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is error code.

36866

Error

The Schannel security package has failed to load. Operations that require the SSL or TLS cryptographic protocols will not work correctly.

36867

Informational

Creating an SSL [client| server] credential.

36868

Informational

The SSL [client| server] credential’s private key has the following properties:

CSP name

CSP type

Key name

Key Type

Key Flags

The attached data contains the certificate.

36869

Error

The SSL [client| server] credential’s certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as Microsoft Internet Information Services (IIS), are not affected by this.

36873

Error

No supported cipher suites were found when initiating an SSL connection. This indicates a configuration problem with the client application or the installed cryptographic modules. The SSL connection request has failed.

36874

Error

An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

36875

Warning

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request might succeed or fail, depending on the server’s policy settings.

36876

Error

The certificate received from the remote server has not validated correctly. The error code is error code. The SSL connection request has failed. The attached data contains the server certificate.

36877

Warning

The certificate received from the remote client application has not validated correctly. The error code is error code. The attached data contains the client certificate.

36878

Warning

The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is error code. The attached data contains the client certificate.

36879

Warning

The certificate received from the remote client application was not successfully mapped to a client system account. The error code is error code. This is not necessarily a fatal error, as the server application might still find the certificate acceptable.

The certificate received from the remote server has expired. The SSL connection request has failed. The attached data contains the server certificate.

36882

Error

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

36883

Error

The certificate received from the remote server has been revoked. This means that the certificate authority that issued the certificate has invalidated it. The SSL connection request has failed. The attached data contains the server certificate.

36884

Error

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is servername. The SSL connection request has failed. The attached data contains the server certificate.

36885

Warning

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

To find more information about “Event Viewer”, see “Event Viewer” on TechNet.

Netmon.exe: Network Monitor

Category

A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000 operating systems. The full version of Network Monitor is included with Microsoft Systems Management Server.

Version compatibility

Network Monitor enables you to capture network traces which can be used in troubleshooting most network issues.

TLS/SSL Registry Entries

The following registry subkeys and entries can help you administer and troubleshoot TLS/SSL, but they apply more to Schannel SSP than TLS/SSL. They can help you verify that the required settings are applied.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.

CertificateMappingMethods

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003

This entry does not exist in the registry by default. The default value is that all four certificate mapping methods are supported.

Ciphers

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of symmetric algorithms.

DES 56/56

This subkey controls use of DES 56 bit algorithm.

NULL

This subkey controls use of no encryption.

RC2 128/128

This subkey controls use of RC2 128 bit algorithm.

RC2 40/128

This subkey controls use of RC2 40 bit algorithm.

RC2 56/128

This subkey controls use of RC2 56 bit algorithm.

RC4 128/128

This subkey controls use of RC4 128 bit algorithm.

RC4 40/128

This subkey controls use of RC4 40 bit algorithm.

RC4 56/128

This subkey controls use of RC4 56 bit algorithm.

Triple DES 168/168

This subkey controls use of 3DES 168 bit algorithm.

The default for these ciphers is enabled.

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.

ClientCacheTime

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This entry controls the time to expire client side cache entries in milliseconds. A value of 0 turns off secure connection caching. This entry does not exist in the registry by default. The default values are:

Default Client Cache Time

Windows Version

Time

Windows NT 4.0 with Service Pack 6a

2 minutes

Windows NT 4.0 with Service Pack 6a and Q265369

60 minutes

Windows 2000

2 minutes

Windows 2000 with Service Pack 2 or greater

10 hours

Windows XP

10 hours

Windows Server 2003

10 hours

Fipsalgorithmpolicy

Registry path

HKLM SYSTEM\CurrentControlSet\Control\LSA

Version

Windows Server 2003, Windows XP, Windows 2000

This entry controls FIPS compliance. The default is 0.

FIPS Cipher Suites

Protocol Version

Key Exchange

Cipher

Hash

SSL 3.0

RSA

DES CBC

SHA-1

SSL 3.0

RSA

3DES EDE CBC

SHA-1

SSL 3.0

RSA

Export 1024 DES CBC

SHA-1

TLS 1.0

RSA

DES CBC

SHA-1

TLS 1.0

RSA

3DES EDE CBC

SHA-1

TLS 1.0

RSA

Export 1024 DES CBC

SHA-1

Hashes

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of hash algorithms.

MD5

This subkey controls use of MD5 as hashing algorithm.

SHA

This subkey controls use of SHA-1 as hashing algorithm.

The default for these ciphers is enabled.

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.

IssuerCacheSize

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003

This entry controls the size of issuer cache and is used with issuer mapping. Starting with Windows Server 2003 operating systems, Schannel attempts to map all of the issuers in the client’s certificate chain—not just the one that directly issues the client certificate. When the issuers do not map to an account which is the typical case, the server might attempt to map the same issuer name over and over, hundreds of times a second. To prevent this, Windows Server 2003 has a negative cache, so if an issuer name does not map to an account, then it is added to the cache and Schannel will not attempt to map the issuer name again until the cache entry expires. This registry entry specifies the cache size. This entry does not exist in the registry by default. The default value is 100.

IssuerCacheTime

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003

This entry controls the length of cache timeout interval in milliseconds. Starting with Windows Server 2003operating systems, Schannel attempts to map all of the issuers in the client’s certificate chain—not just the one that directly issues the client certificate. In the case where the issuers do not map to an account which is the typical case, the server might attempt to map the same issuer name over and over, hundreds of times a second. To prevent this, Windows Server 2003 has a negative cache, so if an issuer name does not map to an account, then it is added to the cache and Schannel will not attempt to map the issuer name again until the cache entry expires. This cache is kept for performance reasons, so that the system does not keep trying to map the same issuers over and over. This entry does not exist in the registry by default. The default value is 10 minutes.

KeyExchangeAlgorithm

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of key exchange algorithms.

Diffie-Hellman\Enabled

The subkey controls use of DH for key exchange.

PKCS

This subkey controls use of RSA for key exchange.

The default for these ciphers is enabled.

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. When you disable any algorithm, you disallow all cipher suites that use that algorithm. To re-enable the cipher, change the DWORD value to 0xffffffff.

MaximumCacheSize

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This entry controls the maximum number of cache elements. Setting MaximumCacheSize to 0 disables the server-side session cache and prevents reconnects. Increasing MaximumCacheSize above the default values causes Lsass.exe to consume additional memory. Each session cache element typically requires 2-4k bytes of memory. This entry does not exist in the registry by default. The default value is 10,000 elements.

Registry path

Version

Client

This subkey controls use of PCT on client

Server

This subkey controls use of PCT on server

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.

DisabledByDefault

This entry controls disabling PCT by default. This entry does not exist in the registry by default.

SendTrustedIssuerList

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003

This entry controls the flag controlling sending of list of trusted issuers. In the case of servers that trust hundreds of certificate authorities for client authentication, there are too many issuers for the server to be able to send them all to the client when requesting client authentication. In this situation, this registry key can be set, and instead of sending a partial list, Schannel will not send any to the client.

Not sending a list of trusted issuers might impact what the client sends when asked for a client certificate. For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certificate authorities that is sent by the server. If the server did not send a list, then Internet Explorer displays all of the client certificates that are installed on the client machine. This behavior might be desirable, when PKI environments include cross certificates, the client and server certificates will not have the same Root CA and therefore, Internet Explorer cannot chose a certificate that chains up to on of the server’s CAs. By configuring the server to not send a trusted issuer list then Internet Explorer will send all its certificates.

This entry does not exist in the registry by default. This value is true by default.

ServerCacheTime

Registry path

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version

Windows Server 2003, Windows XP, Windows 2000

This entry controls the time to expire server side cache entries in milliseconds. A value of 0 disables the server-side session cache and prevents reconnects. Increasing ServerCacheTime above the default values causes Lsass.exe to consume additional memory. Each session cache element typically requires 2-4k bytes of memory. This entry does not exist in the registry by default. The default values are:

SSL 2.0

Registry path

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of SSL 2.0.

Client

This subkey controls use of SSL 2.0 on the client.

Server

This subkey controls use of SSL 2.0 on the server.

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.

DisabledByDefault

SSL 3.0

Registry path

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of SSL 3.0.

Client

This subkey controls use of SSL 3.0 on client

Server

This subkey controls use of SSL 3.0 on server

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.

TLS 1.0

Registry path

Version

Windows Server 2003, Windows XP, Windows 2000

This subkey controls use of TLS 1.0.

Client

This subkey controls use of TLS 1.0 on client

Server

This subkey controls use of TLS 1.0 on server

To disable, create the Enabled entry in the appropriate subkey. (This entry does not exist in the registry by default.) After you have created the entry, change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 0xffffffff.

TLS/SSL Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Schannel.

Group Policy Settings Associated with Schannel

Group Policy Setting

Description

Security options:

System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing

Changes to this setting determine whether Schannel will only support the TLS protocol as a client (and as a server, if applicable) and only use:

Both the client and the server must support these algorithms and TLS to communicate using a secure channel application. For example, if you enable this policy setting, you will also need to configure Internet Explorer to use TLS (which is Off by default) to connect using Secure Hypertext Transfer Protocol (HTTPS) to a server with this setting.

For more information about Group Policy settings, see the “Group Policy Settings Reference for Windows Server 2003” in Tools and Settings Collection.